diff options
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | include/functions | 12 | ||||
| -rw-r--r-- | include/tests_filesystems | 43 | ||||
| -rwxr-xr-x | lynis | 8 |
4 files changed, 39 insertions, 25 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index df8afa5c..dd1288c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -228,6 +228,7 @@ Tests * FILE-6374 - Added /dev/shm and /var/tmp * FILE-6374 - New test for /var/tmp * FILE-7524 - Support for multiple profiles +* HTTP-6632 - Fix for proper detection of Apache modules * HTTP-6642 - Test disabled * HTTP-6710 - Trigger suggestion when weak protocols SSLv2/SSLv3 are used * KRNL-5788 - Support for kernel with grsecurity patches (linux-image-grsec) diff --git a/include/functions b/include/functions index 29104c0e..080e3523 100644 --- a/include/functions +++ b/include/functions @@ -1411,7 +1411,7 @@ ################################################################################ LogText() { - if [ ! "${LOGFILE}" = "" ]; then CDATE=`date "+%Y-%m-%d %H:%M:%S"`; echo "${CDATE} $1" >> ${LOGFILE}; fi + if [ ! "${LOGFILE}" = "" ]; then CDATE=$(date "+%Y-%m-%d %H:%M:%S"); echo "${CDATE} $1" >> ${LOGFILE}; fi } @@ -1423,12 +1423,17 @@ LogTextBreak() { if [ ! "${LOGFILE}" = "" ]; then - CDATE=`date "+[%H:%M:%S]"` + CDATE=$(date "+%Y-%m-%d %H:%M:%S") echo "${CDATE} ===---------------------------------------------------------------===" >> ${LOGFILE} fi } + ################################################################################ + # Name : ParseProfiles() + # Description : Check file permissions and parse data from profiles + # Returns : <nothing> + ################################################################################ ParseProfiles() { SafePerms ${INCLUDEDIR}/profiles @@ -1436,10 +1441,9 @@ } - ################################################################################ # Name : ParseTestValues() - # Description : Parse nginx configuration lines + # Description : Parse values from a specific test # Inputs : service (e.g. ssh) # Returns : CHECK_VALUES_ARRAY ################################################################################ diff --git a/include/tests_filesystems b/include/tests_filesystems index 14eb21b1..849c34e9 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -645,39 +645,44 @@ ################################################################################# # # Test : FILE-6430 - # Description : Disable Mounting of some Filesystems : cramfs hfs hfsplus squashfs udf freevxfs jffs2 - - Register --test-no FILE-6430 --weight L --network NO --description "Disable Mounting of some filesystems" + # Description : Disable mounting of some filesystems + # Rationale : Unless there is a specific reason to use a particular file system, disable it. + # Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf + Register --test-no FILE-6430 --weight L --network NO --description "Disable mounting of some filesystems" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then - Display --indent 2 --text "- Disable Mounting of some filesystems" - LIST_FS_NOT_SUPPORTED="cramfs hfs hfsplus squashfs udf freevxfs jffs2" + Display --indent 2 --text "- Disable mounting of some filesystems" + LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf" for FS in ${LIST_FS_NOT_SUPPORTED}; do - Display --indent 4 --text "- Disable Mounting of $FS Filesystems" - LogText "Test: Checking if $FS is not present in loaded modules" + Display --indent 4 --text "- Disable mounting of ${FS} filesystem" + LogText "Test: Checking if ${FS} is not present in loaded modules" # Check if FS is present in lsmod output - FIND=`${LSMODBINARY} | grep $FS | wc -l` - if [ "${FIND}" = "0" ]; then - LogText "Module $FS not loaded in the kernel" - Display --indent 6 --text "- Module $FS not loaded in the kernel" --result OK --color GREEN + FIND=`${LSMODBINARY} | ${EGREPBINARY} "^${FS}"` + if [ -z "${FIND}" ]; then + LogText "Result: module ${FS} not loaded in the kernel" + Display --indent 6 --text "- Module ${FS} not loaded in the kernel" --result OK --color GREEN + AddHP 2 2 else - LogText "Module $FS loaded in the kernel" - Display --indent 6 --text "- Module $FS loaded in the kernel" --result "REMOVE NEEDED" --color YELLOW + LogText "Result: module ${FS} loaded in the kernel" + Display --indent 6 --text "- Module $FS loaded in the kernel" --result "FOUND" --color YELLOW + AddHP 2 5 fi # Check if FS is present in modprobe output - FIND=`${MODPROBEBINARY} -v -n $FS 2>/dev/null | tail -1` - if echo $FIND | ${EGREPBINARY} -q "insmod .*${FS}.ko"; then - Display --indent 6 --text "- Module $FS present in the kernel" --result "REMOVE NEEDED" --color YELLOW + FIND=`${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1` + if [ ! -z "${FIND}" ]; then + LogText "Result: found module support in kernel: ${FIND}" + Display --indent 6 --text "- Module ${FS} present in the kernel" --result "FOUND" --color YELLOW + AddHP 2 3 else - Display --indent 6 --text "- Module $FS not present in the kernel" --result OK --color GREEN - ReportSuggestion ${TEST_NO} "The modprobe.d should contains a file with the entry 'install $FS /bin/true'" + AddHP 2 2 + Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN + #ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'" fi done else LogText "Test skipped lsmod binary not found or /proc/modules can not be opened" fi fi - # ################################################################################# # @@ -32,7 +32,7 @@ PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2016-06-30" + PROGRAM_RELEASE_DATE="2016-07-11" PROGRAM_RELEASE_TIMESTAMP=1467279295 PROGRAM_RELEASE_TYPE="dev" # dev or final PROGRAM_VERSION="2.2.1" @@ -473,7 +473,8 @@ ${NORMAL} ################################################################################# # # Clear log file and test if it's writable - echo "### Starting ${PROGRAM_NAME} ${PROGRAM_VERSION} with PID ${OURPID}, build date ${PROGRAM_RELEASE_DATE} ###" > ${LOGFILE} + CDATE=$(date "+%Y-%m-%d %H:%M:%S") + echo "${CDATE} Starting ${PROGRAM_NAME} ${PROGRAM_VERSION} with PID ${OURPID}, build date ${PROGRAM_RELEASE_DATE}" > ${LOGFILE} if [ $? -gt 0 ]; then Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result WARNING --color RED echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions." @@ -496,6 +497,9 @@ ${NORMAL} Report "os_fullname=${OS_FULLNAME}" Report "os_version=${OS_VERSION}" if [ "${OS}" = "Linux" ]; then Report "linux_version=${LINUX_VERSION}"; fi + if [ ! -z "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi + if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi + Report "hostname=${HOSTNAME}" if [ "${HOSTNAME}" = "" ]; then |